Query Details
Audit MFA Changesfor Privleged Users
Query
//Alert when any users who hold a privileged Azure AD role make MFA configuration changes or an admin changes MFA details on a privileged user
//Data connector required for this query - Azure Active Directory - Audit Logs
//Data connector required for this query - Microsoft Sentinel UEBA
//Lookup the IdentityInfo table for any users holding a privileged role
let privusers=
IdentityInfo
| where TimeGenerated > ago(21d)
| summarize arg_max(TimeGenerated, *) by AccountUPN
| where isnotempty(AssignedRoles)
| where AssignedRoles != "[]"
| distinct AccountUPN;
//Lookup MFA configuration events for those privileged users
AuditLogs
| where TimeGenerated > ago(1d)
| where OperationName in~ ("Admin registered security info", "Admin updated security info", "Admin deleted security info", "User registered security info", "User changed default security info", "User deleted security info")
| extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)
| where UserPrincipalName in~ (privusers)
| project TimeGenerated, OperationName, UserPrincipalNameExplanation
This query looks for any users who hold a privileged Azure AD role and have made MFA configuration changes or if an admin has changed MFA details on a privileged user. It uses the Azure Active Directory - Audit Logs data connector and the Microsoft Sentinel UEBA data connector.
First, it looks up the IdentityInfo table to find users holding a privileged role within the past 21 days. It then filters out any empty or non-existent assigned roles and gets distinct user account names.
Next, it looks for MFA configuration events in the AuditLogs table within the past day. It filters for specific operation names related to MFA changes. It extends the UserPrincipalName field to match the user account names found in the previous step. Finally, it projects the TimeGenerated, OperationName, and UserPrincipalName fields for the results.
Details
Matt Zorich
Released: June 17, 2022
Tables
Keywords
Operators